[00:01.040 --> 00:05.580]  All right, we're back live. And thank you, Tyler, for supporting DEF CON,
[00:05.580 --> 00:09.880]  supporting the community, supporting the Red Team Village, in order to have you here.
[00:10.040 --> 00:12.940]  And with that said, without any further ado, take it away.
[00:13.640 --> 00:18.440]  Hey, good evening, late night DEF CON. This is 50 Shades of Pseudo-Abuse.
[00:18.440 --> 00:21.100]  I'm Tyler Boykin, and this will be my talk.
[00:24.080 --> 00:29.760]  So, we'll do a quick about. And the intended audience level for this kind of thing is
[00:29.760 --> 00:34.980]  beginner to intermediate. And there's plenty of talks on some whiz, some cool advanced stuff.
[00:34.980 --> 00:39.740]  But I figured we'd keep it in the beginner-intermediate range.
[00:39.740 --> 00:44.640]  Or if you're a more seasoned professional, you may pick up a few things, maybe a good refresher.
[00:44.720 --> 00:51.440]  We'll do a brief crash course on Pseudo, on where it stands on the TTP,
[00:51.440 --> 00:55.860]  the MITRE realm of things. And then we'll cover the Pseudovers file.
[00:55.860 --> 00:59.360]  And then we'll hit up some enumeration and recon.
[00:59.840 --> 01:03.260]  And then we'll go into the fun stuff, which are all the examples.
[01:04.720 --> 01:10.500]  So, a little bit about me. I'm an Aggie communications officer with the Marine Corps.
[01:10.880 --> 01:14.300]  Cut my teeth with network engineering and information assurance.
[01:14.300 --> 01:18.460]  And then now I do security engineering for BioLite Professional IT Services.
[01:18.700 --> 01:22.000]  And so you can find me on Twitter and a few other places.
[01:23.120 --> 01:29.320]  Okay, so superuserdo, whether you're calling it pseudo or sudo,
[01:29.320 --> 01:31.220]  we're talking about the same thing.
[01:31.640 --> 01:39.640]  And it's basically, it allows any permitted user to execute commands as another intended user.
[01:39.640 --> 01:43.880]  Typically, 90% of the time, it's going to be approved.
[01:44.360 --> 01:49.000]  And the security policy, which is what we'll dive into as we're going into this,
[01:49.000 --> 01:55.180]  determines what privileges, what allocations, what all can that user do.
[01:57.420 --> 02:07.120]  And the whereupon authentication, specific tokens are made on the pseudo tracks,
[02:07.780 --> 02:11.820]  each and every failed or successful authentication.
[02:12.000 --> 02:17.200]  And it'll remember you for five minutes, so if you ever notice that, and then so on.
[02:18.480 --> 02:26.080]  And so when you execute a command, and you'll see this later on too, unlike su, as you were,
[02:26.080 --> 02:29.980]  the security policy just states which environment you get.
[02:29.980 --> 02:35.940]  So whenever you are actually running sudo, you inherit all of that users in full environmental variables.
[02:35.940 --> 02:41.520]  For instance, you get the, unless it's explicitly stated otherwise.
[02:41.520 --> 02:43.820]  So you typically get their environment variables.
[02:43.820 --> 02:47.740]  You'll get a variety of IDs, right?
[02:47.740 --> 02:51.340]  And unless you specify otherwise.
[02:51.540 --> 02:55.080]  Real effective user IDs, group IDs, right?
[02:55.080 --> 02:58.700]  You get a good variety of things up there.
[02:58.700 --> 03:00.800]  But it's as the target user.
[03:02.820 --> 03:05.920]  And these are straight out of the sudo man pages.
[03:05.920 --> 03:11.940]  I'm just going inch deep, mile wide stuff, just to kind of give a little bit of a background.
[03:11.940 --> 03:15.020]  There is no easy way, right?
[03:15.020 --> 03:17.000]  There is no easy way.
[03:17.060 --> 03:28.240]  And this is to prevent a malicious user from escalating, abusing stuff if stuff is allocated.
[03:28.240 --> 03:32.140]  Simply because there's a whole breadth of things.
[03:32.300 --> 03:39.480]  There's this breadth of applications and features that can be manipulated maliciously.
[03:39.480 --> 03:42.620]  It gets rather hard.
[03:42.840 --> 03:46.000]  And so, I mean, there are ways to mitigate this.
[03:46.000 --> 03:54.980]  You force, at least you really crank down on the least privileged kind of method of security and whatnot.
[03:54.980 --> 03:59.880]  But it's really, you have to be particularly stingent when allocating stuff.
[04:00.480 --> 04:04.640]  Okay, so we'll kind of shift gears here into Mitre.
[04:05.100 --> 04:09.000]  And so it falls under abuse elevation control.
[04:09.000 --> 04:11.340]  So this shouldn't be anything new, right?
[04:11.340 --> 04:17.580]  This is pretty similar vernacular to what we've been talking about the past couple of minutes.
[04:18.140 --> 04:25.880]  Adversaries may circumvent mechanisms designed to control and elevate privileges to higher level and so on.
[04:25.880 --> 04:34.040]  And so where the sudo and the sudoers falls into is now the new format, which they went to sub-techniques.
[04:34.220 --> 04:37.020]  And I'll give you all a quick minute to read that.
[04:37.020 --> 04:38.460]  I think I've got it.
[04:38.880 --> 04:40.260]  No, I'm just kidding.
[04:40.860 --> 04:44.080]  So basically it says the same thing.
[04:44.120 --> 04:51.460]  Adversaries may perform sudo caching, and that's to where they go after those token files.
[04:52.060 --> 04:58.800]  And so in the directory, each user that attempts to authenticate via sudo gets their own specific directory.
[04:59.180 --> 05:03.400]  And then each attempt has its own little file. It's kind of cool.
[05:03.400 --> 05:11.860]  And then adversaries may attempt to abuse the caching or misconfigurations in sudoers,
[05:11.860 --> 05:23.620]  and that is where you'll actually wind up seeing a lot of the stuff for all this talk are mostly out of sudoers misconfigurations.
[05:25.400 --> 05:28.320]  Okay, and that's a good segue.
[05:28.320 --> 05:35.240]  So sudoers is the primary configuration file when you're working with sudo.
[05:36.200 --> 05:38.360]  It resides in Etsy.
[05:38.620 --> 05:42.880]  Technically, you can edit it with whatever you want to.
[05:42.880 --> 05:47.820]  That is not encouraged because it is very syntax picky.
[05:47.920 --> 05:52.320]  So generally speaking, you make a copy of it and you use visudo.
[05:52.800 --> 06:01.440]  And if you use visudo to edit the file, it'll run the error checking, the syntax checking immediately upon exit.
[06:01.460 --> 06:07.940]  Or you can just, let's say, if you wanted to tweak something, mess with something, you can always just run the standalone checker on the file.
[06:15.270 --> 06:17.650]  So that's what it's basically going to look like.
[06:17.650 --> 06:19.150]  You're going to have...
[06:21.450 --> 06:25.470]  If you make a misconfiguration anywhere in sudoers, it'll yell at you.
[06:25.470 --> 06:27.250]  Like that.
[06:27.310 --> 06:31.250]  And then if you're good, then it tells you, okay.
[06:34.030 --> 06:39.970]  So the sudoers specifies the who, what, when, where.
[06:40.030 --> 06:41.670]  It's the be-all, end-all.
[06:41.670 --> 06:46.130]  Other documents contribute to this whole security order, this whole policy.
[06:46.130 --> 06:52.270]  But the main point of configuration is sudoers.
[06:52.270 --> 07:00.170]  And so unlike... by default, password authentication is required, but you can specify no password.
[07:00.310 --> 07:07.350]  But unlike su, where you authenticate as the user which you are trying to do stuff as, so let's say root.
[07:07.350 --> 07:10.190]  You authenticate as root.
[07:10.230 --> 07:16.350]  Sudo, using sudoers, you authenticate as the user calling it.
[07:16.350 --> 07:19.450]  And so it's a little bit less.
[07:20.710 --> 07:23.850]  And so the file is composed of two main parts.
[07:23.850 --> 07:25.970]  It has some other sections, too.
[07:27.890 --> 07:30.950]  And you can go into a little bit more detail about that.
[07:30.950 --> 07:38.030]  But for the purposes of what we're doing here, you're going to have your aliases, which are kind of like variables and placeholders.
[07:38.610 --> 07:45.070]  And then you have your userspecs, which are the five Ws.
[07:45.090 --> 07:47.990]  And there's quite a few userspecs for these examples.
[07:50.010 --> 07:55.370]  And so when multiple entries stack up, they're applied in order.
[07:55.510 --> 07:57.270]  You see that a lot in userspecs.
[07:57.270 --> 08:01.310]  And then if there's... and then it racks and stacks into the last one.
[08:08.320 --> 08:10.000]  So, aliases.
[08:10.120 --> 08:13.920]  The interesting thing is that these syntax on the man pages are actually a little less...
[08:13.920 --> 08:17.940]  When you see them in a sudoers file, it kind of makes sense because stuff, right?
[08:17.940 --> 08:20.020]  But the format kind of eh.
[08:20.020 --> 08:22.400]  But essentially, it's alias type.
[08:22.400 --> 08:23.660]  Name.
[08:23.660 --> 08:26.740]  And then you go on and you can specify whatever you're trying to alias.
[08:26.740 --> 08:30.080]  And then you have your defaults that you can always set to.
[08:31.720 --> 08:34.200]  And so, moving on a little bit.
[08:34.200 --> 08:39.820]  The sudo allows for shell-style globs and wildcards.
[08:39.900 --> 08:47.520]  It's not actual regex, but if you've ever done anything in bash or shell or whatever, it's similar in functionality.
[08:47.840 --> 08:51.360]  An asterisk is one or more.
[08:52.020 --> 08:55.000]  And then question mark is any single character.
[08:55.300 --> 09:01.900]  You can kind of do range, kind of splitting between brackets and so on.
[09:01.900 --> 09:07.400]  But this isn't... it's not actual regex, but it functions similar to what you see in bash or any kind of shell.
[09:09.840 --> 09:12.680]  Okay, so we're down to the user specs.
[09:12.920 --> 09:16.480]  And this is actually a little bit more of the intuitive part, in my opinion.
[09:16.540 --> 09:19.160]  Because it basically... it's the who, what, when, where.
[09:19.160 --> 09:20.720]  You have the who, where.
[09:20.720 --> 09:23.640]  In the parentheses, you have the as whom.
[09:23.700 --> 09:31.920]  And you can use colons to delineate further detail into that.
[09:31.940 --> 09:33.140]  And then the what.
[09:33.140 --> 09:39.880]  And then sandwiched between the what are tag specs that kind of throw stipulations on some of the activities on how it's done.
[09:39.880 --> 09:42.720]  And we'll go into that with the next slide or two.
[09:42.720 --> 09:45.700]  And so the run as spec.
[09:45.700 --> 09:48.000]  So, for example, me at server.
[09:48.240 --> 09:50.840]  Me at host server.
[09:51.100 --> 09:53.880]  You know, as operator, these commands.
[09:54.440 --> 09:55.780]  It's not to the web.
[09:57.280 --> 10:00.100]  And so tag spec, and this is what I was talking about earlier.
[10:00.100 --> 10:04.500]  It sandwiches in between the as whom and the command part, right?
[10:04.700 --> 10:10.540]  And this can either greatly, drastically make a red teamer's life easier
[10:10.540 --> 10:13.860]  or it can make it a little bit more difficult, make it more complicated.
[10:14.420 --> 10:18.280]  No password, you'll see sometimes.
[10:18.960 --> 10:25.220]  Set in will also, you can deliberately manipulate the environment when you're calling those commands.
[10:25.220 --> 10:32.460]  And no exec prevents dynamically linked applications from actually calling shell on themselves.
[10:32.460 --> 10:34.920]  Or running commands themselves, you know.
[10:34.920 --> 10:38.720]  And we have an example of that later on also.
[10:38.720 --> 10:41.760]  But I'm going to hope for that no password.
[10:42.160 --> 10:43.440]  So much easier.
[10:44.160 --> 10:46.880]  Okay, so enumeration.
[10:49.400 --> 10:50.960]  So there's manually, right?
[10:50.960 --> 10:52.300]  You have sudo l.
[10:54.080 --> 10:59.920]  And if you're lucky, and this could be for any kind of real-world pen testing, CTFs.
[10:59.920 --> 11:02.160]  Could be for any type of thing, right?
[11:02.320 --> 11:03.720]  You have sudo l.
[11:03.860 --> 11:05.480]  And it might be as easy as that.
[11:05.480 --> 11:08.000]  The user that you may have compromised may be a sudoers.
[11:08.000 --> 11:15.560]  And when you do sudo l, you may get a listing of every, you know, what all that user can do, right?
[11:15.560 --> 11:17.500]  You have etcdoers.
[11:18.380 --> 11:20.400]  It should, hopefully it exists.
[11:20.660 --> 11:25.260]  If you can read it as an unprivileged user, I think there are bigger things going on.
[11:25.260 --> 11:27.700]  Or you're in a CTF, you know.
[11:27.700 --> 11:32.560]  But, I mean, that would help you help enumerate and get a bigger picture of things.
[11:32.800 --> 11:37.100]  In the event that you cannot, for instance, let's say you can't do sudo.
[11:37.100 --> 11:40.200]  But you're still trying to look at version numbers or whatever else.
[11:40.200 --> 11:45.360]  You can still get the version number from sudo with capital V and just do some googling.
[11:45.700 --> 11:49.020]  You know, maybe you can find a user or service that can't use sudo.
[11:49.020 --> 11:52.140]  And then you may be able to leverage that for exploitation.
[11:53.080 --> 11:54.280]  Etsy group.
[11:54.280 --> 11:55.840]  And so, same thing.
[11:55.840 --> 11:59.860]  You can see additional users that may be in, you know, the sudoers group.
[11:59.960 --> 12:06.400]  And then one of the places it logs is to var log or auth log.
[12:06.400 --> 12:09.420]  And so, that's all manual stuff.
[12:10.340 --> 12:16.380]  And generally speaking, because this is a subset of privileged escalation.
[12:16.380 --> 12:22.540]  So you don't need as much expansive tools and resources to really enumerate what you have, per se.
[12:22.540 --> 12:25.180]  You know, let's say if you're doing some other things.
[12:25.260 --> 12:26.860]  But there are automated things.
[12:26.860 --> 12:30.420]  For MSF, you know, you have post modules.
[12:30.800 --> 12:32.840]  I think the interpreter has a few also.
[12:32.840 --> 12:35.500]  And then there's some pretty well-known scripts, too.
[12:35.500 --> 12:36.700]  Like linenum.
[12:36.720 --> 12:41.920]  Anybody who's done CTLs and some other things has used linenum.
[12:41.920 --> 12:43.940]  That's a pretty well-known one.
[12:44.040 --> 12:46.520]  Follow sudo is actually pretty neat also.
[12:46.520 --> 12:52.080]  And I make another reference to the creators of that.
[12:52.100 --> 12:56.540]  And that particular one in the middle references that for that particular CVE.
[12:57.400 --> 13:04.520]  Okay, so examples.
[13:05.360 --> 13:09.480]  So this is from the creator, follow sudo.
[13:09.480 --> 13:15.160]  And this is more the degree of examples.
[13:15.160 --> 13:17.900]  Because it's kind of a spectrum.
[13:17.900 --> 13:22.800]  And I like to use the fruit, the hanging fruit kind of analogies.
[13:22.800 --> 13:27.440]  So the two examples, a complete lack of configuration.
[13:28.000 --> 13:30.180]  It's nothing wide open.
[13:30.180 --> 13:31.680]  It's low hanging fruit.
[13:32.020 --> 13:33.360]  That's the lowest hanging fruit.
[13:33.360 --> 13:35.480]  And you should go for the lowest hanging fruit first.
[13:35.480 --> 13:37.140]  Because those are the beginnings.
[13:37.480 --> 13:39.120]  Or you might see...
[13:39.860 --> 13:43.600]  They've tried to configure secure sets of rules.
[13:43.600 --> 13:47.120]  But there may be a bug in one of the applications.
[13:47.420 --> 13:48.780]  It may be something flagged.
[13:48.780 --> 13:50.120]  Or they just didn't know.
[13:50.240 --> 13:52.300]  But they're trying.
[13:52.300 --> 13:57.840]  Or it just may not be configured consistently throughout whatever they're doing.
[13:58.180 --> 13:58.640]  Right?
[13:58.860 --> 14:05.740]  Which is actually pretty normal for any other kind of real system hardening and whatnot.
[14:06.420 --> 14:07.600]  And you get the lowest of the fruit.
[14:07.600 --> 14:08.820]  You get the open sudo.
[14:08.860 --> 14:12.860]  And then you've got the top part, which is the fairly secure, as he's mentioning.
[14:12.940 --> 14:17.800]  But for today's purposes, we're going to be mostly residing mostly in the middle.
[14:17.800 --> 14:19.420]  You'll have a little bit of low fruit.
[14:19.420 --> 14:22.500]  And we'll have a little bit of the cool stuff up at the top.
[14:22.500 --> 14:24.300]  But the middle is going to be...
[14:24.300 --> 14:25.620]  That's where the fun playground is.
[14:25.620 --> 14:28.880]  Because it's a little bit gamier, in my opinion.
[14:30.480 --> 14:31.200]  Okay.
[14:31.420 --> 14:36.520]  So when you're doing this, you want to get creative and inventive.
[14:36.520 --> 14:45.280]  Because you don't necessarily have to get a fancy CVE, per se, with these.
[14:45.280 --> 14:54.180]  You don't have to make an alphanumeric fricking rock chain or anything like that.
[14:54.180 --> 14:56.900]  You're just using what exists creatively.
[14:56.900 --> 14:58.560]  And so that's kind of the cool part about it.
[14:58.560 --> 15:00.800]  And can you read something off limits?
[15:00.800 --> 15:02.140]  Can you write to something?
[15:02.140 --> 15:06.160]  If you can write to something, then you can go really far then.
[15:06.300 --> 15:06.800]  Right?
[15:08.900 --> 15:11.700]  This is where you're scouring the man pages.
[15:11.700 --> 15:14.700]  And you're looking for flags.
[15:14.700 --> 15:17.500]  You're looking for little subtle things that may be kind of useful.
[15:17.500 --> 15:19.900]  And that's why it's more fun.
[15:20.360 --> 15:23.760]  And it's kind of a misnomer, escalate laterally.
[15:23.760 --> 15:25.440]  You may be able to move laterally.
[15:25.440 --> 15:32.540]  I haven't really seen any non-root users specify in sudoers.
[15:32.540 --> 15:33.460]  But that's an option.
[15:33.460 --> 15:35.460]  You can do sudo as a different user.
[15:36.980 --> 15:40.420]  But using that gets you to a different user.
[15:40.420 --> 15:43.940]  I mean, that's worth mentioning on a pin test report.
[15:43.940 --> 15:46.500]  And that may get you to something bigger and better.
[15:46.500 --> 15:48.540]  It's not always about up and down.
[15:48.540 --> 15:50.040]  Sideways works too.
[15:50.260 --> 15:50.860]  Right?
[15:52.060 --> 15:58.360]  And so with that, we are now entering low-hanging fruit.
[15:58.900 --> 16:00.840]  So this is the easy stuff.
[16:00.840 --> 16:03.260]  Open sudo, the classic example.
[16:03.260 --> 16:08.320]  Wide open, user authenticates as himself, his or herself, whatever.
[16:08.320 --> 16:12.060]  And then the system is their oyster.
[16:12.060 --> 16:15.100]  Their one step, their keystrokes away from root.
[16:16.160 --> 16:18.780]  And so you go into a little bit more.
[16:19.200 --> 16:30.120]  So these, any applications that directly result in a shell, they're pretty much right next to there.
[16:30.220 --> 16:34.080]  This is your SH, KSH, ZSH, whatever, right?
[16:34.080 --> 16:35.200]  SU.
[16:35.200 --> 16:42.080]  And any actual programming languages too, because those can, again, cough up shells.
[16:42.420 --> 16:44.760]  Cough up shells, cough up functionality.
[16:46.260 --> 16:48.780]  Those are pretty big gummies.
[16:51.060 --> 16:54.280]  And so then we go, this is kind of like a little bit higher.
[16:54.280 --> 16:59.220]  We're turning up the volume on the creativity a little bit, right?
[16:59.220 --> 17:04.340]  And so you've got commands, right?
[17:05.180 --> 17:11.640]  And so you're not, they don't give you, they can give you instant shells, but it's not right off the bat.
[17:11.640 --> 17:13.540]  So you've got to dig for stuff a little bit.
[17:13.540 --> 17:15.080]  And you have to use stuff unintended.
[17:15.620 --> 17:17.780]  You've got to think outside the box.
[17:18.200 --> 17:21.580]  And so that's why I think, that's why I kind of like some of these.
[17:22.100 --> 17:23.620]  And so here are a few examples.
[17:23.620 --> 17:25.680]  When you do wget, right, for instance.
[17:25.680 --> 17:34.900]  If you supply I as an input file, it'll attempt to read each line in that file as its own URL and it'll attempt to shoot it.
[17:34.900 --> 17:38.940]  So if you do sudo wget whatever, say Etsy shadow, right?
[17:39.060 --> 17:44.880]  Each line of Etsy shadow is going to be, wget is going to try to resolve or make a request to each line of Etsy shadow.
[17:44.880 --> 17:48.540]  I mean, it'll fail, but that's file read, right?
[17:48.640 --> 17:52.300]  You're now reading sensitive files that you're not supposed to.
[17:53.340 --> 17:55.160]  And same thing with curl.
[17:55.660 --> 17:57.420]  And this one's actually kind of cool.
[17:57.420 --> 18:00.400]  These are two web request applications.
[18:00.720 --> 18:04.380]  And you don't even have to make an actual web request for them, really.
[18:05.220 --> 18:06.600]  So it's kind of neat.
[18:06.600 --> 18:08.240]  And so you continue to offset.
[18:08.900 --> 18:12.020]  And then it'll automatically find where to resume.
[18:12.020 --> 18:16.920]  And you basically specify the remote name, which is local.
[18:16.920 --> 18:18.580]  And so then you specify file.
[18:18.580 --> 18:31.500]  It actually accepts in this format here, file, kind of like you're doing FTP or whatever, or HTTP, the location on the local system.
[18:31.500 --> 18:36.760]  And it'll download it and you can read it.
[18:36.760 --> 18:38.160]  It's actually pretty neat.
[18:39.420 --> 18:41.800]  Base64 is another interesting sample.
[18:41.800 --> 18:42.640]  That's file read.
[18:42.640 --> 18:44.060]  I think that's file write also.
[18:44.060 --> 18:45.280]  I'll have to double check.
[18:45.280 --> 18:50.100]  But essentially, you're looking at, it's file read.
[18:50.100 --> 18:54.480]  And if you pipe it into itself and supply the D flag, you have the clear text.
[18:54.560 --> 18:56.320]  You have it on 64.
[18:57.600 --> 19:06.520]  And then GCC, if you supply wrappers, it'll run the command that you supply.
[19:06.520 --> 19:12.560]  And all params are passed comma separated after the initial command.
[19:14.020 --> 19:17.020]  And then at the very end, we're tagging along.
[19:17.020 --> 19:22.140]  Let's say you have kind of a bug or like a big, gaping kind of bug thing.
[19:22.460 --> 19:29.810]  And it's kind of a mix between the high level and low level.
[19:30.120 --> 19:36.480]  But any bugs that are incurred at sudo are going to have sudo consequences also.
[19:36.480 --> 19:42.120]  So, where's my demo thing?
[19:42.120 --> 19:42.780]  Okay.
[19:42.900 --> 19:47.820]  So, we will do some shell time.
[19:47.820 --> 19:48.800]  How about this?
[19:49.180 --> 19:53.240]  So, L, section one, open sudo.
[19:53.240 --> 19:56.000]  So, yeah, sudo L, right?
[19:56.000 --> 20:00.780]  Anything, you do sudo su cat root text.
[20:00.780 --> 20:01.560]  That's what it looks like.
[20:01.560 --> 20:05.420]  That's what I'm using for these particular purposes.
[20:05.420 --> 20:08.400]  Looks like that kind of jazz, right?
[20:11.260 --> 20:17.160]  So, apps, sudo L.
[20:17.460 --> 20:19.780]  And so, this is pretty much the same thing too.
[20:19.800 --> 20:23.460]  If you run sudo is in the top two, you're going to get an instant shell.
[20:24.080 --> 20:28.320]  Creatively, I think the kind of neat one and one that you can use for if you're working,
[20:28.320 --> 20:31.900]  trying to get a non-limited shell is with the Python.
[20:31.900 --> 20:40.170]  And so, Python, most interpreted kind of languages and some things, except inline commands, correct?
[20:40.720 --> 20:49.060]  So, pity spawn, pity the fool, bash, right?
[20:49.060 --> 20:50.360]  And so then your root.
[20:51.120 --> 20:53.960]  It's pretty cut and dry.
[20:54.000 --> 20:56.200]  It was pretty straightforward.
[20:56.760 --> 21:00.940]  So, now we're getting into a little bit more fun stuff with wget and whatnot.
[21:02.060 --> 21:10.560]  So, if you notice, it accepts an input file.
[21:10.560 --> 21:16.450]  And so, basically, that's what it looks like.
[21:16.450 --> 21:20.110]  It tried to run the flag in our particular case.
[21:20.490 --> 21:25.890]  It tried to make a request to it and obviously it's going to fail because it's nothing, right?
[21:26.270 --> 21:31.430]  And so, that was pretty neat when I first learned that, right?
[21:31.430 --> 21:34.990]  And so, base64, similar thing.
[21:35.930 --> 21:43.830]  It comes in as you're basically piping it to itself and you're specifying the D, which means decode.
[21:46.570 --> 21:49.710]  So, here we go.
[21:51.390 --> 21:53.730]  Wrapper, we have got root.
[21:54.590 --> 21:56.270]  It ran sh.
[21:58.090 --> 22:02.230]  And then, lastly, for this little bit, curl.
[22:02.230 --> 22:07.670]  So, it literally downloads and the spot into the local directory.
[22:10.110 --> 22:11.650]  We've got the flag.
[22:12.970 --> 22:14.930]  Bada bing, bada boom.
[22:15.470 --> 22:22.430]  And so, in this particular instance, it's just a small program, say, mycat, right?
[22:22.430 --> 22:23.730]  Just to show an example.
[22:23.730 --> 22:35.450]  Obviously, and didn't mention this before, but as we progress along, you'll see a common trend of applications having more than one exploitation vector, right?
[22:35.450 --> 22:38.210]  So, it may not just be file read.
[22:38.210 --> 22:39.490]  It may can do file write.
[22:39.490 --> 22:42.950]  It may be able to do commands, right?
[22:42.950 --> 22:49.010]  It just depends on how you work it and whatnot.
[22:49.010 --> 22:57.130]  And so, in this particular case, it basically takes in through standard input and sends that to system, right?
[22:57.130 --> 23:00.110]  So, there's two, at least two with this one.
[23:00.110 --> 23:06.630]  So, I do sudo mycat, do root text, write file read, sensitive file read.
[23:06.630 --> 23:13.930]  You can also write bin sh, get root.
[23:13.970 --> 23:18.010]  Typical string exploitation.
[23:21.890 --> 23:23.010]  Okay.
[23:24.890 --> 23:27.210]  Okay, now we're going to get a little bit fun now.
[23:27.210 --> 23:28.950]  So, pager abuse.
[23:31.510 --> 23:33.910]  Okay, those got mixed up.
[23:33.910 --> 23:35.150]  Okay, so pagers.
[23:35.150 --> 23:47.410]  So, whenever you run man or service or any kind of terminal editor, and those things where you can scroll up, down, left, right, it's called a terminal pager.
[23:47.970 --> 23:53.490]  And the interesting thing is that people know what it is, but they don't know what it is per se.
[23:53.510 --> 23:57.850]  But it's basically what happens behind the scenes is a terminal pager gets called.
[23:57.850 --> 24:04.710]  And they accept extra commands.
[24:04.710 --> 24:12.730]  When you supply an exclamation mark, anything proceeding that exclamation mark gets run as a command.
[24:14.070 --> 24:18.150]  So, your editors, you know, vim, nano, etc.
[24:18.610 --> 24:21.190]  And so, yeah.
[24:21.190 --> 24:23.630]  We'll go ahead and show that right quick.
[24:23.630 --> 24:37.120]  Like, l, section2, pagers, if I can type, l.
[24:37.620 --> 24:43.340]  So, yeah, if I do sudo man man, quick example, we're now in a terminal pager.
[24:43.580 --> 24:45.740]  You can go up, down, left, right, whatever.
[24:45.740 --> 24:50.380]  By simply just typing stuff, it'll start parsing your input.
[24:50.380 --> 24:55.580]  And by doing exclamation mark, everything after this will be run as a system command.
[24:55.580 --> 25:00.360]  So, vim sh, we're now root, etc.
[25:02.740 --> 25:05.700]  Same thing with service, too.
[25:05.700 --> 25:10.100]  So, sudo service blank status.
[25:10.100 --> 25:11.920]  I'm going to get all of them.
[25:11.920 --> 25:13.860]  I'm going to open up a pager.
[25:17.260 --> 25:20.760]  vim sh, easy peasy.
[25:20.760 --> 25:26.200]  And so, a neat thing is you tend to forget these types of things.
[25:26.200 --> 25:30.280]  But let's say you do a service, but it doesn't have that much output.
[25:31.700 --> 25:34.360]  It's more just kind of terminal fundamentals, perhaps.
[25:34.500 --> 25:36.640]  Let's say you do cron status, right?
[25:37.600 --> 25:41.000]  And actually, it does do a pager right there, midway.
[25:41.020 --> 25:46.580]  But for whatever reason, if the pager ends prematurely, let's say it finishes,
[25:46.580 --> 25:49.140]  you can always just shrink your freaking terminal down to like here.
[25:49.600 --> 25:56.040]  And then do it again, and it'll open up the pager for you.
[25:56.220 --> 25:57.620]  So, I think that's kind of neat.
[26:05.820 --> 26:09.920]  Yes, GTFO bins. A lot of these are on GTFO bins.
[26:09.920 --> 26:13.880]  Now, I tried not to just go down and just start listing them off.
[26:13.880 --> 26:15.780]  I tried to grab a variety of different things.
[26:15.780 --> 26:23.040]  So, yeah, GTFO bins is definitely very, very handy.
[26:23.040 --> 26:27.620]  If you're not using that, you're definitely crippling yourself in what you can do.
[26:28.060 --> 26:29.480]  Okay, cron abuse.
[26:29.620 --> 26:31.680]  So, this kind of goes without saying.
[26:32.320 --> 26:39.100]  If you can edit, you can manipulate or run or do any kind of service type things
[26:40.800 --> 26:44.760]  as root, that's going to have root-like implications.
[26:45.620 --> 26:50.560]  And so, that's a pretty short slide.
[26:51.040 --> 26:59.120]  But, so, sudo l, or s-u-l, sorry, section 3, cron l.
[27:00.420 --> 27:02.860]  Yeah, and so in this particular instance, right,
[27:04.060 --> 27:07.360]  and so it's actually worth noting that if you do cron tab,
[27:07.360 --> 27:12.400]  if you haven't done it before in the system, and you don't have the right environmental variables set,
[27:12.400 --> 27:13.880]  what's the first thing it asks you?
[27:13.880 --> 27:17.180]  It asks you, what editor would you like to use?
[27:18.000 --> 27:26.880]  And so then you have editor-style exploits with whatever kind of services you can do also.
[27:28.480 --> 27:33.060]  So, in this particular case, sudo l.
[27:33.280 --> 27:39.240]  So, let's do sudo cron tab e, and I already have something set up,
[27:39.240 --> 27:48.160]  but now we're in Vim, right, so any kind of root, easy peasy.
[27:48.240 --> 27:56.600]  But, it's also the implication that you can edit the root's cron tab and run stuff as root, any kind of services.
[27:56.600 --> 28:02.260]  In this particular case, I have this little script here, and all it does is, just for the example,
[28:03.460 --> 28:07.720]  it basically reads in root text and writes it to the current directory.
[28:07.720 --> 28:10.820]  It's pretty easy peasy.
[28:10.820 --> 28:15.760]  So, sudo service cron start.
[28:18.610 --> 28:20.550]  And you'd have to wait a minute.
[28:20.730 --> 28:26.890]  And let me see what's going on, on the Discord.
[28:26.950 --> 28:27.790]  Okay.
[28:28.570 --> 28:34.010]  So, at some point, probably in a minute, I might not just wait for it,
[28:34.010 --> 28:38.470]  but we'll see root text should hopefully populate up here.
[28:39.810 --> 28:42.070]  But, I don't think I'll wait for that.
[28:42.630 --> 28:44.790]  So, you'll just have to deal with it.
[28:45.130 --> 28:47.950]  Okay, so now we're getting into a little bit more fun stuff.
[28:48.230 --> 28:50.030]  LDPreload is actually kind of neat.
[28:53.550 --> 28:56.970]  And you need a bit of a background to understand what's going on.
[28:56.970 --> 29:02.190]  So, LDPreload, it's an exploit.
[29:02.450 --> 29:09.210]  You're using a feature that is intended to be used with dynamically linked binaries.
[29:10.350 --> 29:18.290]  Whereas, all the methods and all the stuff is resolved at runtime,
[29:18.290 --> 29:19.830]  whereas it's statically linked.
[29:19.830 --> 29:22.950]  You get that bigger file if you statically link everything,
[29:22.950 --> 29:27.870]  but you don't have to worry about shared objects being all messed up and whatever.
[29:27.870 --> 29:31.370]  You have everything in one nice big package.
[29:32.230 --> 29:38.550]  But, obviously, with dynamic linking, you do have a smaller file size.
[29:38.550 --> 29:45.050]  You have your typical libc and a bunch of other things to worry about.
[29:45.050 --> 29:48.430]  But, overall, it's a little bit more flexible.
[29:49.910 --> 30:00.870]  And so, with the LDPreload, you can essentially tell it to load that stuff before it loads the other stuff.
[30:00.870 --> 30:09.330]  And so, you can essentially overwrite any kind of method or function in whatever application you're running.
[30:09.930 --> 30:14.310]  And so, we need to put a few things together.
[30:14.310 --> 30:19.670]  You're combining a custom functionality with a binary that's being run as pseudo.
[30:19.890 --> 30:22.130]  And, obviously, that's going to equal fun.
[30:22.210 --> 30:23.790]  Pretty fun.
[30:23.790 --> 30:26.890]  And so, you'll see this in the environment.
[30:27.150 --> 30:31.490]  Whenever I've seen it, it's been in the environment.
[30:31.650 --> 30:34.170]  And the binary also has to be compiled for it.
[30:35.350 --> 30:41.650]  And so, the syntax for when you want to go about business with this, the pseudo LDPreload,
[30:41.650 --> 30:48.930]  you can export it to the env, to your environmental variables,
[30:48.930 --> 30:52.610]  or you can just run it all in one, like how we're about to do here in a minute.
[30:53.650 --> 30:56.590]  So, demo.
[31:01.740 --> 31:06.240]  So, L section for LDPreload.
[31:07.880 --> 31:12.900]  So, in this particular case, we can run the example.
[31:12.900 --> 31:16.620]  And I tried to cite, I got some of these examples straight off the internet.
[31:16.620 --> 31:17.940]  I tried to cite them.
[31:17.940 --> 31:21.600]  You can find these, I'll link to them, so if you want to look at them, reference them too.
[31:22.300 --> 31:29.400]  So, in this particular case, the example was, it runs a loop, and it prints 10 random numbers.
[31:29.400 --> 31:33.700]  It calls ran, and it outputs the standard out 10 numbers.
[31:33.820 --> 31:38.600]  So, in this particular case, because it's a dynamically linked,
[31:39.800 --> 31:46.880]  we can provide our own stuff, and we have the LDPreload environmental variable set.
[31:46.880 --> 31:56.220]  So, in this particular case, cat drandom, and basically, it's going to overwrite the rand function,
[31:56.220 --> 31:58.900]  and it'll just return 42.
[31:59.120 --> 32:03.640]  So, example C, right here, right?
[32:03.640 --> 32:09.520]  And so, you're basically going to, essentially, you're going to make that do what you want it to,
[32:09.520 --> 32:11.540]  which is kind of cool.
[32:11.540 --> 32:13.920]  So, for this particular example,
[32:24.670 --> 32:44.750]  So, sudo ldpreload drandom, shared object, to example.
[32:44.750 --> 32:49.550]  And, as you see, we basically made random do what we want to.
[32:49.550 --> 32:53.930]  So, it's no longer random. It just prints 10 42s instead of a bunch of actual random.
[32:54.050 --> 32:59.890]  So, taking that a step further, oh, we can manipulate the file as sudo.
[33:00.070 --> 33:01.650]  So, what do we do?
[33:02.190 --> 33:04.310]  We get evil.
[33:05.550 --> 33:09.910]  And, in this particular case, we're overwriting init, which happens right off the bat.
[33:11.590 --> 33:15.330]  And, you know, we basically pop shell.
[33:15.830 --> 33:23.470]  And so, using a similar type thing, evil, we are now rooted.
[33:23.470 --> 33:24.430]  It's pretty cool.
[33:24.430 --> 33:30.370]  And another cool thing is that it'll finish running the rest of the application once we exit.
[33:30.370 --> 33:30.970]  See?
[33:30.970 --> 33:34.270]  Because we only overwrote init. We didn't overwrite the rest of it.
[33:34.270 --> 33:35.410]  So, it's kind of neat.
[33:36.010 --> 33:37.130]  Okay.
[33:42.610 --> 33:43.170]  Okay.
[33:45.090 --> 33:46.210]  Installers.
[33:46.250 --> 33:53.990]  So, it goes without saying, right, that installing any kind of application is a security concern,
[33:53.990 --> 33:59.910]  especially if you're going to install it as admin, as root, any kind of privileged accounts, right?
[34:00.150 --> 34:05.430]  And so, these can definitely be leveraged in various kinds of ways.
[34:05.430 --> 34:07.890]  Pip, apt-get, dpkg, you name it.
[34:09.330 --> 34:14.370]  And so, for instance, a lot of these have multiple, let's say, apt-get and dpkg.
[34:14.370 --> 34:16.550]  They both invoke a pager.
[34:16.790 --> 34:21.610]  You can do stuff during install, providing custom functionality.
[34:21.950 --> 34:28.750]  For example, pip, when you're in setup, you can specify entire methods for doing stuff.
[34:28.950 --> 34:31.090]  It becomes your oyster.
[34:31.090 --> 34:39.150]  So, obviously, installing things as root is a big, critical security consideration.
[34:40.950 --> 34:42.190]  Okay.
[34:42.190 --> 34:45.470]  We will hit that up.
[34:54.470 --> 34:58.090]  Okay, so, sudo l.
[34:58.970 --> 35:03.810]  Okay, so, how does one make that a shared object?
[35:05.970 --> 35:09.450]  You compile and link.
[35:10.110 --> 35:14.590]  You basically don't do the full process when you compile.
[35:16.210 --> 35:21.250]  If somebody doesn't share that with you, we can grab that here after this.
[35:22.070 --> 35:30.470]  But basically, you make it a shared object, and it can be used by other dynamically linked applications.
[35:33.150 --> 35:37.630]  So, let me grab my thing real quick, y'all.
[35:38.210 --> 35:45.050]  Okay, so, for the pager, right, pager abuse, sudo apt-get.
[35:45.900 --> 35:47.250]  Not bad.
[35:49.430 --> 35:51.090]  Change log.
[35:54.270 --> 35:56.990]  See, we now have a pager.
[35:57.250 --> 36:00.090]  So, the old stuff still applies.
[36:00.350 --> 36:09.150]  And so, having that kind of mentality that, oh yeah, we're in familiar territory, it will help us for later on.
[36:09.150 --> 36:16.970]  And so, in this example, we have apt-get shell package.
[36:16.970 --> 36:23.230]  And all it's doing, you're basically providing custom functionality, and it runs at the very end.
[36:23.230 --> 36:34.450]  So, all you gotta do, you can specify, instead of making a normal web request out, you specify a local file for which to draw from.
[36:34.450 --> 36:37.810]  And then it basically goes like that.
[36:39.150 --> 36:40.190]  It's pretty cool.
[36:43.620 --> 36:49.820]  And the same thing with, when you go to setup, or setup, excuse me, pip.
[36:49.980 --> 37:00.420]  So, in this particular case, we have a setup py, like what you'd see in any, if you're installing any kind of module, any kind of thing written in Python or whatever, you'll have your setup py.
[37:00.840 --> 37:05.340]  And in this particular case, it actually does a reverse shell.
[37:05.340 --> 37:09.080]  And so, I'm gonna use, I need to split screen for a minute.
[37:09.080 --> 37:15.150]  I think that one was 1, 2, 3, 4, 5.
[37:16.710 --> 37:19.210]  So, 1, 2, 3, 4, 5.
[37:19.210 --> 37:27.290]  We do sudo pip install . to specify from the local directory.
[37:28.290 --> 37:29.410]  And we do.
[37:30.210 --> 37:31.330]  And we have.
[37:31.810 --> 37:32.870]  Bada bing.
[37:33.730 --> 37:35.050]  Pretty cool.
[37:36.390 --> 37:38.070]  Exit. Exit all out.
[37:38.070 --> 37:39.250]  All that jazz.
[37:39.250 --> 37:40.690]  Okay.
[37:43.940 --> 37:45.280]  Right on, right on.
[37:46.860 --> 37:49.960]  So, path and secure path.
[37:49.960 --> 37:59.320]  So, these, so if you recall back, right, globs and whatnot are acceptable within the sudoers file.
[37:59.460 --> 38:03.960]  The asterisk, star, whatever, is what are more?
[38:03.980 --> 38:06.140]  Question marks, new characters, and so on.
[38:06.140 --> 38:12.360]  So, and this is kind of in the same family as your normal environmental variable path, right?
[38:12.360 --> 38:15.820]  It's in the same vein of exploitation.
[38:16.280 --> 38:22.840]  If you see asterisks, you see stars in the sudoers file, you can have similar consequences, too.
[38:23.160 --> 38:27.660]  So, it's kind of similar in this particular case.
[38:27.660 --> 38:33.500]  Not exactly, but for example, if you see a dot, an emf, it's gonna read from the current directory first,
[38:33.500 --> 38:35.320]  wherever it's being invoked, and then it goes on.
[38:36.560 --> 38:39.300]  It goes on down the line, right?
[38:39.300 --> 38:42.820]  And if you see an asterisk, that means anything for that directory.
[38:43.240 --> 38:45.880]  And so, that's what's happening in this particular case.
[38:45.880 --> 38:49.420]  You know, anything in bin, you know, is free game.
[38:49.620 --> 38:52.200]  And so, obviously, that's not particularly secure.
[38:52.840 --> 38:58.640]  And so, interesting enough, for sudoers, right, you have the secure path.
[38:58.640 --> 39:06.420]  So, if you don't actually trust the environmental variables at the lower level to be well-formed or whatever,
[39:06.420 --> 39:10.360]  or to be secure, you can kind of override that with your own secure path.
[39:10.700 --> 39:19.740]  But obviously, if the secure path is misconfigured, that's fun for more than one person involved.
[39:20.800 --> 39:29.440]  So, and in this particular example, we made secure path temp to show that it's kind of a misconfiguration of sorts.
[39:30.720 --> 39:36.200]  So, l section6 path.
[39:36.200 --> 39:39.240]  I believe for this one, I'm doing the bin.
[39:39.240 --> 39:46.440]  So, and it's also worth noting, right, in other kind of privilege escalation mindset,
[39:46.440 --> 39:52.220]  that, you know, I can run anything in this directory.
[39:52.220 --> 39:56.480]  And so, as sudo, so you can basically write your own shell.
[39:56.480 --> 40:00.740]  You can do whatever, and it'll run what you want.
[40:00.740 --> 40:04.300]  So, in this particular case, I just made id, it runs shell.
[40:04.400 --> 40:05.880]  It's weird, but whatever.
[40:05.880 --> 40:14.140]  You know, and so, sudo, let me copy all that, I ain't typing that stuff.
[40:14.180 --> 40:16.260]  Boom, id.
[40:20.900 --> 40:24.260]  It's pretty intuitive.
[40:24.400 --> 40:29.620]  And then, sudo l.
[40:29.760 --> 40:34.680]  So, this particular one, it's going to check temp first.
[40:34.680 --> 40:37.120]  Because that's a misconfiguration on the secure path.
[40:37.180 --> 40:38.040]  And it's a particular one.
[40:38.040 --> 40:41.260]  And there's actually another exploit later on that utilizes double stars.
[40:41.260 --> 40:43.300]  But this is for the example, this purposes.
[40:43.680 --> 40:46.620]  You know, where is usually, where is ping usually at?
[40:46.620 --> 40:49.140]  Ping is usually user bin, right?
[40:49.140 --> 40:58.580]  But obviously, if we do sudo temp, and ahead of time, it's a temp to ping, right?
[40:58.580 --> 41:05.100]  You get the flag, because in that particular file, it does the same thing.
[41:05.100 --> 41:07.080]  It's just reading and printing, right?
[41:08.060 --> 41:14.260]  And so, that's just insecure path considerations when you're using globs and whatnot.
[41:15.700 --> 41:16.440]  Okay.
[41:19.630 --> 41:23.830]  So, we're getting there.
[41:23.830 --> 41:24.790]  We are getting there.
[41:24.790 --> 41:26.210]  Okay, so this one's kind of neat.
[41:26.210 --> 41:28.330]  So, editors and sudo edit.
[41:29.150 --> 41:31.710]  So, you have your obvious kind of blatant stuff.
[41:31.710 --> 41:33.590]  You already got your pager and whatnot.
[41:33.590 --> 41:38.170]  And anything with editors, you have file read, file write, any kind of commands.
[41:38.170 --> 41:40.610]  But how it does some things are kind of weird, right?
[41:40.610 --> 41:48.730]  And so, there's a few new things I stumbled upon while I was even making this in the past months.
[41:49.990 --> 41:55.510]  And we will include an actual CVE with this also, because it's kind of in the same line of things.
[41:56.410 --> 41:58.310]  And this is the actual CVE.
[41:58.310 --> 41:59.910]  It's on exploit DB.
[42:01.410 --> 42:05.710]  Sudo edit does not check the full path.
[42:05.710 --> 42:07.150]  So, if you use double globs.
[42:07.870 --> 42:13.450]  And so, the POC for this is you create a send link to anything sensitive, right?
[42:13.470 --> 42:19.970]  Anything sensitive, and it'll resolve that as correct, and it'll run it.
[42:20.250 --> 42:21.630]  And you're good.
[42:21.810 --> 42:23.030]  It's pretty cool.
[42:23.790 --> 42:29.510]  So, we will get to keyboard mashing.
[42:29.990 --> 42:35.570]  L, section, 7, editors, clear.
[42:35.570 --> 42:37.050]  Sudo l.
[42:38.470 --> 42:39.530]  Okay.
[42:39.530 --> 42:41.910]  So, we can do that one first.
[42:41.910 --> 42:47.090]  So, in this particular example, we have two directories.
[42:47.990 --> 42:52.870]  Test2 with protected, which is the actual symlink to it.
[42:53.650 --> 42:56.250]  It's going to Etsy Shadow right now.
[42:57.270 --> 42:57.970]  And then we have...
[42:58.410 --> 43:00.850]  Let me scooch that up a little bit for us here.
[43:01.330 --> 43:02.270]  There we go.
[43:02.550 --> 43:02.970]  All right.
[43:02.970 --> 43:04.370]  And so, var...
[43:04.370 --> 43:06.030]  I just made some dirs.
[43:06.030 --> 43:06.870]  And this one is...
[43:07.510 --> 43:08.950]  It's actually really nothing.
[43:08.950 --> 43:10.690]  I think it has some stuff on it.
[43:10.690 --> 43:11.950]  I forget what I put on there.
[43:12.150 --> 43:18.750]  But, either way, the user can't access either of them, because it does not have the permissions.
[43:19.350 --> 43:19.590]  All right.
[43:19.590 --> 43:20.050]  But...
[43:20.050 --> 43:21.590]  So, if I were to do...
[43:22.870 --> 43:23.590]  Sudo...
[43:24.670 --> 43:25.990]  Sudo edit.
[43:25.990 --> 43:26.970]  Right.
[43:27.290 --> 43:28.590]  And then specify...
[43:30.990 --> 43:32.870]  Test2 protected.
[43:34.310 --> 43:35.750]  Oops.
[43:38.480 --> 43:44.100]  So, it is worth noting that if you fat-finger something, you fat-finger it,
[43:46.800 --> 43:49.220]  it will ask you for a password.
[43:49.220 --> 43:56.800]  So, if you specify no password on a security policy, and whatever you're doing is prompting you for a password,
[43:56.800 --> 44:03.440]  then that action is not covered under the policy, and you're likely not going to be able to do it.
[44:18.290 --> 44:19.630]  Sudo edit.
[44:27.600 --> 44:28.880]  There we go.
[44:28.880 --> 44:29.380]  Okay.
[44:29.380 --> 44:32.240]  And so, now we are in anti-shadow.
[44:32.880 --> 44:34.880]  I must have been fat-fingering something.
[44:35.920 --> 44:38.880]  And so, this next example is actually kind of cool.
[44:39.140 --> 44:41.840]  So, we have this entry right here.
[44:41.840 --> 44:43.000]  No password.
[44:43.240 --> 44:46.660]  So, they're trying to lock us down to them, but they also have no exec.
[44:46.880 --> 44:51.220]  And so, if we recall what no exec is, it means no shells, or you can't run commands.
[44:51.220 --> 44:53.420]  You especially can't pop shells, right?
[44:53.500 --> 44:58.060]  And they are trying to lock us down to where we can only edit this particular file,
[44:58.060 --> 45:01.940]  which doesn't exist, but you can obviously open it.
[45:01.940 --> 45:05.780]  You can create the file and then save or do whatever in them.
[45:06.300 --> 45:09.240]  So, and we'll test that theory, right?
[45:09.240 --> 45:11.700]  Sudo them.
[45:11.700 --> 45:14.100]  Let's say we want to do root.txt, right?
[45:14.220 --> 45:18.000]  Can't do it because we're being prompted by password.
[45:18.080 --> 45:23.700]  Let's say if we use sudo them, and we actually do go to this.
[45:28.470 --> 45:29.130]  Right.
[45:29.130 --> 45:32.350]  So, obviously, and if we try to do our typical shenanigans, right?
[45:32.350 --> 45:34.930]  Nope. Denied.
[45:34.930 --> 45:36.650]  No shell for you, right?
[45:36.650 --> 45:41.050]  It's pretty cool, but here's a neat trick.
[45:41.050 --> 45:47.510]  You can source externally from within editors to doing your own stuff.
[45:47.510 --> 45:51.770]  So, colon E for edit, R for write, for read, right?
[45:54.840 --> 45:55.920]  Exactly.
[45:56.280 --> 45:58.080]  So, I think that's pretty neat.
[45:58.080 --> 46:04.320]  And then you can basically kind of wiggle around from inside, kind of like that.
[46:06.120 --> 46:06.940]  Okay.
[46:07.320 --> 46:10.600]  We are hooking and jabbing.
[46:10.600 --> 46:13.240]  We got a couple more, and then we are done-skies.
[46:14.000 --> 46:15.140]  So, PwFeedback.
[46:15.140 --> 46:21.760]  This one is an actual, this is also an actual CVE and has an exploit db entry.
[46:22.560 --> 46:26.880]  So, basically, in older renditions of sudo,
[46:26.880 --> 46:31.360]  it will ask you for your password, but when you supply stuff via standard input,
[46:31.360 --> 46:33.720]  it gives little stars.
[46:34.040 --> 46:38.040]  And, essentially, there is a stack-based buffer overflow,
[46:38.460 --> 46:43.460]  too much input through standard input,
[46:43.460 --> 46:46.100]  and you supply long enough of a string,
[46:46.100 --> 46:51.140]  you can then put in whatever malicious badness, goodness that you want.
[46:51.140 --> 47:00.360]  And it's actually a pretty simple exploit, and it's pretty simple to check out.
[47:03.160 --> 47:06.060]  And we will go ahead and do that.
[47:07.480 --> 47:10.420]  However, I need to see what user...
[47:10.420 --> 47:11.580]  One second.
[47:12.380 --> 47:16.760]  I need to get what I call these, because I don't call them all intuitive names, per se.
[47:17.720 --> 47:18.660]  Eight.
[47:19.340 --> 47:20.560]  Oh, that one is.
[47:20.560 --> 47:22.120]  Okay.
[47:23.880 --> 47:26.260]  Okay, pwfeedback, right?
[47:26.280 --> 47:33.140]  So, sudo l, in this particular case, we do need it this time.
[47:33.760 --> 47:37.560]  We do need it to prompt us for a password, so we can actually exploit,
[47:39.420 --> 47:41.800]  we can smash the stack, basically.
[47:42.860 --> 47:46.280]  And so, I have two POCs,
[47:46.280 --> 47:48.920]  and then I think once you can find it on...
[47:48.920 --> 47:50.820]  I think I'll link to at least one of these.
[47:50.820 --> 47:52.760]  They're pretty self-explanatory.
[47:53.440 --> 48:01.140]  So, this first one, it's 100 As terminated by a null, and it does this 50 times.
[48:01.480 --> 48:08.200]  And then after that, you can pipe in whatever commands you want, generally speaking, after the S.
[48:08.200 --> 48:22.540]  And so, for instance, if I were to do sudo, actually, POC, rear root, right?
[48:22.540 --> 48:26.740]  And notice in here, we're not actually supplying a password.
[48:26.740 --> 48:28.940]  It did ask us for a password, right?
[48:28.940 --> 48:32.960]  So, if we do sudo whatever, it asks us for a password, and we had to supply it.
[48:32.960 --> 48:36.560]  But because we smashed the stack, basically, and then supplied our own command,
[48:36.560 --> 48:39.660]  that's basically how we went out of business there.
[48:39.660 --> 48:41.400]  And the same thing with POC2.
[48:42.340 --> 48:43.660]  It's the same concept.
[48:43.660 --> 48:45.200]  It's just more fanciness.
[48:45.200 --> 48:48.500]  In that case, it does a reverse shell, like before.
[48:48.880 --> 48:52.240]  Okay, we have about 10 minutes left.
[48:52.560 --> 48:53.800]  I'm going to go ahead and...
[48:53.800 --> 48:55.420]  Yeah, we can do that one, too. Why not?
[48:55.940 --> 48:56.940]  Why not?
[48:56.940 --> 48:58.620]  Demux.
[49:01.460 --> 49:04.500]  This one was 3.4.
[49:06.700 --> 49:08.460]  POC2.
[49:10.000 --> 49:11.760]  Hmm.
[49:11.760 --> 49:13.560]  That's curious.
[49:13.700 --> 49:15.560]  Oh my god.
[49:16.400 --> 49:18.800]  Well, they all almost worked.
[49:24.550 --> 49:25.690]  Hmm.
[49:25.750 --> 49:27.910]  Might have to fuck with that later.
[49:27.910 --> 49:30.550]  But they'll get the general principle.
[49:38.920 --> 49:40.240]  Demo gods.
[49:41.380 --> 49:41.920]  So...
[49:42.700 --> 49:43.780]  Okay.
[49:44.640 --> 49:45.860]  Limited shells.
[49:45.860 --> 49:47.480]  This one's actually pretty neat.
[49:47.480 --> 49:50.560]  And I learned this, actually, by doing Pentester Academy.
[49:50.920 --> 49:57.400]  And if you're trying to look for different neat kind of ways to enhance your existing skill set,
[49:57.400 --> 50:00.260]  or learn completely new things, I highly encourage that.
[50:00.260 --> 50:05.360]  I'm not trying to show for Pentester Academy or BVIC, but he's a great instructor,
[50:05.360 --> 50:07.220]  and they have some great coursework.
[50:07.220 --> 50:11.980]  And so, in this particular one, just showing this particular example.
[50:12.920 --> 50:15.700]  And it's kind of a hypothetical, too, right?
[50:15.780 --> 50:23.280]  So, let's say you have a huge credentials.
[50:23.860 --> 50:29.520]  Normally, you would be able to do sudo as a user, but you do not have a full TTY.
[50:29.680 --> 50:33.020]  Let's say, for whatever reason, you can't make a full TTY.
[50:33.020 --> 50:39.260]  You can't do the SOCAT, the STTYRAW echo trick, all those normal things.
[50:39.260 --> 50:40.820]  Let's say those aren't working.
[50:40.820 --> 50:45.000]  But you still have a limited shell, and you have the ability to run sudo,
[50:45.000 --> 50:49.140]  because you can run sudo, and you have the user's credentials.
[50:49.560 --> 50:53.060]  So, you can use, in this example, the expect command.
[50:54.280 --> 50:58.060]  And the expect command basically simulates user interactivity.
[50:59.720 --> 51:03.200]  And command, you know, on the man page, this is alphabetically,
[51:03.200 --> 51:07.580]  but there's always, there's four of them that you would practically really need to know
[51:07.580 --> 51:09.760]  in order to run this example.
[51:10.680 --> 51:14.220]  Spawn, which spawns the command of whatever you supply.
[51:14.540 --> 51:17.300]  Send is providing input to standard input.
[51:18.180 --> 51:22.700]  Expect parses, I think it does both standard out and standard error.
[51:23.020 --> 51:25.480]  I haven't tested that, but I think it does.
[51:25.480 --> 51:27.540]  It does both, at least does standard out.
[51:27.540 --> 51:29.980]  And then, you got interact.
[51:30.300 --> 51:34.940]  And then, that basically goes hands-on at that point.
[51:34.940 --> 51:38.940]  It's kind of like, if you ever used potent tools with Python, right?
[51:38.940 --> 51:42.560]  It's like the interactive, similar kind of mentality there.
[51:43.600 --> 51:46.080]  And so, I'll break this down.
[51:46.080 --> 51:48.540]  Expect C, you're supplying the command.
[51:48.540 --> 51:50.980]  You then spawn sudo S.
[51:51.040 --> 51:54.000]  So, it's kind of like a spawn, the spawn, the spawn thing, right?
[51:54.000 --> 51:59.440]  Sudo S, in this case, we're just going to read root.txt.
[52:00.040 --> 52:02.340]  We spawn that process.
[52:02.340 --> 52:06.880]  We then look for, with globs, it supports globbing too.
[52:06.880 --> 52:08.860]  So, you don't have to be exact exactly.
[52:08.860 --> 52:12.940]  You can, a little bit of wiggle room when you're doing your expect.
[52:12.960 --> 52:18.200]  We look for password, because that's typically what you see whenever you're prompted by sudo.
[52:18.240 --> 52:21.000]  We will provide the password,
[52:21.760 --> 52:25.100]  which, in this case, it's always the username, because for demo examples,
[52:25.560 --> 52:28.120]  you do have to provide your own enter,
[52:28.120 --> 52:30.220]  and then you interrupt.
[52:31.460 --> 52:33.300]  So, demo.
[52:36.390 --> 52:37.790]  Okie dokie.
[52:40.880 --> 52:44.280]  And this one will require a limited shell.
[52:44.280 --> 52:46.380]  It will require a reverse.
[52:48.320 --> 52:50.600]  These ones, three, four, five.
[52:51.320 --> 52:52.600]  I forget.
[52:55.730 --> 52:56.450]  Okay.
[52:57.910 --> 53:01.850]  So, in this case, I made a shitty little, didn't really make.
[53:01.850 --> 53:03.450]  Oh, it's one, two, three, four. I'm sorry.
[53:04.450 --> 53:05.170]  Four.
[53:06.710 --> 53:07.430]  Okay.
[53:08.270 --> 53:12.210]  So, it's a little crummy shell.
[53:12.210 --> 53:13.190]  You can't do anything.
[53:13.190 --> 53:14.150]  You don't have an environment.
[53:14.150 --> 53:15.550]  There's no terminals, no nothing.
[53:15.550 --> 53:16.430]  It's bare bones.
[53:16.430 --> 53:21.130]  What you might see, if you're doing a CTF, a real pen test,
[53:21.130 --> 53:23.070]  where you don't actually have functionality,
[53:23.070 --> 53:25.490]  you know, it's a limited shell, it's a limited shell,
[53:25.490 --> 53:27.310]  it's a limited shell, right?
[53:27.310 --> 53:31.050]  You got nothing, really, per se.
[53:31.050 --> 53:33.170]  So, in this particular instance,
[53:35.470 --> 53:41.770]  we can then supply the big glob that we had previously.
[53:42.290 --> 53:43.070]  And so,
[53:44.970 --> 53:46.070]  hit enter,
[53:46.750 --> 53:48.650]  and there's our flag.
[53:55.160 --> 53:56.120]  Okay.
[53:56.720 --> 53:57.360]  So,
[53:58.280 --> 54:00.060]  we're at the finish line now,
[54:00.060 --> 54:01.880]  and this one's actually a pretty quick one,
[54:01.880 --> 54:03.580]  and it's more recent, too.
[54:04.860 --> 54:05.740]  This one,
[54:06.360 --> 54:08.800]  it doesn't check for the existence of the user,
[54:08.800 --> 54:10.120]  and so when it runs,
[54:11.380 --> 54:14.300]  it executes with the arbitrary user ID,
[54:14.300 --> 54:15.960]  and it returns a zero.
[54:15.960 --> 54:19.360]  Zero is also root's ID, right?
[54:19.760 --> 54:20.940]  And so, and then,
[54:20.940 --> 54:22.940]  and that's executed for privileges,
[54:22.940 --> 54:25.180]  or whatever you specify on the end of it.
[54:25.180 --> 54:27.340]  And you test that out, too,
[54:27.340 --> 54:29.600]  because if you specify,
[54:29.600 --> 54:31.840]  see, in the as whom clause
[54:31.840 --> 54:33.940]  of this user spec,
[54:33.940 --> 54:35.160]  you can specify,
[54:35.160 --> 54:38.560]  you can't run stuff as root, for instance.
[54:38.860 --> 54:39.480]  Right?
[54:39.480 --> 54:40.640]  And so,
[54:41.680 --> 54:43.020]  this particular one,
[54:43.020 --> 54:45.000]  I actually do need to copy and paste.
[54:45.000 --> 54:47.160]  My username is
[54:48.560 --> 54:49.440]  the,
[54:49.940 --> 54:51.420]  it's not as intuitive.
[54:52.240 --> 54:53.120]  Okay.
[54:53.120 --> 54:55.180]  sudo l, right.
[54:55.180 --> 54:57.440]  So, generally speaking, if I try to do anything,
[54:57.440 --> 55:00.340]  either not as this particular application,
[55:00.820 --> 55:02.760]  or if I try to do that,
[55:02.760 --> 55:03.680]  but as root,
[55:03.680 --> 55:05.060]  it's obviously not going to work,
[55:05.060 --> 55:08.480]  because it is explicitly stated in the user spec.
[55:08.480 --> 55:10.160]  However, given this particular
[55:10.160 --> 55:12.460]  type of sudo,
[55:12.460 --> 55:14.940]  you don't have to worry about that.
[55:15.320 --> 55:16.260]  Right? And so,
[55:16.260 --> 55:18.600]  let me get,
[55:18.600 --> 55:20.120]  excuse me while I whip that out.
[55:20.120 --> 55:20.780]  Okay.
[55:24.810 --> 55:26.270]  So, yeah, you simply just do
[55:26.270 --> 55:28.510]  sudo u,
[55:28.510 --> 55:30.190]  and there's tons of scripts, too, where you basically
[55:30.190 --> 55:32.670]  scrape the internet looking for this.
[55:33.410 --> 55:34.730]  They're pretty nifty.
[55:34.790 --> 55:36.450]  So, if I try to run anything
[55:36.450 --> 55:38.370]  other than those two, you'll get prompted
[55:38.370 --> 55:40.710]  by a password, which means
[55:41.830 --> 55:42.710]  given that
[55:42.710 --> 55:43.970]  there's no password, you see
[55:43.970 --> 55:46.630]  it asking for password, you're wrong.
[55:46.730 --> 55:48.530]  So, we'll just do id,
[55:48.530 --> 55:50.410]  and we're root. We at least have the
[55:50.410 --> 55:52.570]  root's uid. And if we do
[55:52.610 --> 55:53.530]  a bash,
[55:54.350 --> 55:55.990]  we are now root.
[55:56.610 --> 55:58.290]  Okay. That
[55:58.290 --> 56:00.310]  is good. So, a recap,
[56:00.310 --> 56:02.370]  we covered sudo, sudoers,
[56:02.370 --> 56:04.430]  we went through open,
[56:04.430 --> 56:06.070]  sudo, we covered a bunch of easier
[56:06.070 --> 56:07.630]  application stuff.
[56:08.310 --> 56:10.270]  This is out of order a little bit.
[56:10.270 --> 56:11.490]  Disregard it.
[56:12.510 --> 56:14.450]  And so,
[56:14.450 --> 56:16.270]  yeah, we covered a variety of things
[56:16.270 --> 56:17.910]  from different angles,
[56:17.910 --> 56:20.190]  from GTFO bins to some
[56:20.190 --> 56:22.510]  CVEs from stuff from ExploitDB.
[56:22.970 --> 56:24.250]  And just try to develop
[56:24.250 --> 56:25.750]  the whole mindset that
[56:26.350 --> 56:28.330]  you can really dig into sudo
[56:28.330 --> 56:30.470]  and get creative and really have fun
[56:31.610 --> 56:32.790]  with it.
[56:33.850 --> 56:34.310]  And so,
[56:34.310 --> 56:35.810]  I tried to cite as much...
[56:35.810 --> 56:38.150]  I tried to cite everything that I could that I pulled
[56:38.150 --> 56:40.850]  from, and I included that at the very end.
[56:41.370 --> 56:42.210]  If you
[56:42.210 --> 56:44.170]  happen to see your material featured in
[56:44.170 --> 56:46.030]  here, and I did not
[56:46.030 --> 56:48.210]  give you proper citation, just let me know
[56:48.210 --> 56:50.010]  and I'll add it. I'm not
[56:50.010 --> 56:52.490]  trying to plagiarize your stuff.
[56:52.610 --> 56:54.390]  I try to give all
[56:54.390 --> 56:56.870]  the citation credit where it is due.
[56:57.590 --> 56:57.890]  And
[56:59.070 --> 57:00.790]  that is my talk.
[57:07.230 --> 57:07.790]  Okay,
[57:07.790 --> 57:09.750]  do we have any questions?
[57:12.070 --> 57:13.630]  I was trying to get
[57:13.630 --> 57:15.310]  the mute button working, but
[57:15.910 --> 57:17.010]  yeah, basically
[57:17.890 --> 57:19.710]  first of all, thank you so much for
[57:19.710 --> 57:21.710]  supporting us and for the great presentation
[57:21.710 --> 57:23.870]  here. We're accepting questions
[57:23.870 --> 57:25.870]  through Discord, and if you just
[57:25.870 --> 57:27.850]  join us in the bottom of the screen,
[57:27.850 --> 57:29.830]  there should be, whether you're on Twitch or
[57:29.830 --> 57:31.870]  YouTube, there should be a link to our
[57:31.870 --> 57:33.910]  website, and of course from there
[57:33.910 --> 57:35.690]  you can actually get to our Discord
[57:35.690 --> 57:37.810]  channel. So if you have any questions for
[57:37.810 --> 57:39.890]  Tyler, please do so there.
[57:40.430 --> 57:42.210]  We're going to go on a brief break,
[57:42.210 --> 57:43.830]  and then the next presenter will start
[57:43.830 --> 57:45.830]  in about 15 minutes. Thank you
[57:45.830 --> 57:46.010]  again.
